On 22 September 2022, the Romanian DPA announced it sanctioned an online retail platform administrator with a EUR 2,000 fine for failing to implement adequate technical and organizational measures in order to ensure compliance with the data protection principles, both at the time of the determination of the means for processing and at the time of the processing itself.
The investigation was finalized in August 2022 and was launched following the receipt of a data breach notification submitted by the controller.
During the investigation, the Romanian DPA found that the data breach occurred when an application sending commercial communications to users of the controller’s website malfunctioned. Consequently, this led to a confidentiality breach of the personal data belonging to 1757 data subjects.
The Romanian DPA concluded that the controller did not adopt the necessary technical and organizational measures in order to ensure a level of security appropriate to the risk entailed by the data processing operations.
According to publicly available sources, this is the fifth time in less than 30 days that the Romanian DPA has issued sanctions following data breach notifications submitted by the controllers themselves. The provisions of GDPR require companies to notify the competent DPA and, in some cases, the affected data subjects depending on the likelihood and severity of a data breach’s impact on their rights and freedoms. However, there are certain scenarios when the controller is not obliged to file a data breach notification. Therefore, a detailed assessment of the security incident should be undertaken on a case-by-case basis in order to make sure that notifying the DPA and/or the data subjects is, indeed, required.
If the controller decides that the data breach must be notified, it needs to make sure that the notification complies with all the requirements and appropriately describes the measures implemented for minimizing the potential negative outcomes generated by the data breach, thus mitigating the enforcement risks entailed by filing an inadequate notification.
The press release is available here (only in Romanian).